Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@geronimo.apache.org
Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Message-ID: <16304268.post@talk.nabble.com>
Date: Wed, 26 Mar 2008 09:00:01 -0700 (PDT)
From: rbaumhof <ralf.baumhof@web.de>
To: user@geronimo.apache.org
Subject: Re: How to use JAAS with JSF , best practice
In-Reply-To: <ADC26A55-BFE8-4D0E-9E47-B1C6FBEC3528@yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
References: <1026051509@web.de>
 <ADC26A55-BFE8-4D0E-9E47-B1C6FBEC3528@yahoo.com>


The workflow of the application should be the following:
login.jsp:
 user enters userid and password and presses the login button

then:
 someone (j_security_check) checks that this is a valid user. If user and
password are valid the groups of
 the users are loaded. If the user belongs only to one group (i.e.
administrator) then the
 welcome page with (administration) menue is displayed.
 If the user belongs to more then one group (i.e. local-administrator and
application-user) 
 then:
   selectRole.jsp is displayed. 
   Here a listbox should be displayed where he can select the role. 

Now, when i describe the workflow, i see that this can not be done by
servlet authentication mechanism. I think we must  write our own filter to
watch the requested pages.
Thanks for your help!!


djencks wrote:
> 
> This looks to me like a really useful use case and I hope we can  
> figure out a good solution quickly and document it.  I hope someone  
> who knows more about JSF than I can help or the "quickly" part is  
> unlikely :-)
> 
> On Mar 18, 2008, at 11:05 PM, Ralf Baumhof wrote:
> 
>> I have got an application where after a successful login the user  
>> maybe must select a role (the user may be an administrator and a  
>> standard user). So, a navigation to a role-selection-page must be  
>> performed. We are using JSF pages for the view component, so we  
>> have an easy and powerful navigation mechanism.
> 
> I've wondered about how to do stuff like this and have a couple  
> questions
> - Does authenticating the user happen before or after the user  
> chooses the role they wish to be in?
> - Is the user presented with a list of possible roles based on their  
> identity?
> - How many web pages does this process take up?  E.g., is role  
> selection on the same page or a different page than filling in user/  
> credential info?
> 
>>
>> From the web application security example (see http:// 
>> cwiki.apache.org/GMOxDOC20/web-application-security-sample.html) we  
>> know a very good and easy way of using JAAS authentication with a  
>> geronimo security realm. This example uses standard servlet  
>> authentication procedure for login at web container. This procedure  
>> requires a simple html page with the j_security_check action. So,  
>> if we are using JSF pages we are loosing a lot of the powerful JSF  
>> navigation features. So my attempt was to use a JSF page with a JSF  
>> backing bean which performs the step by itself using the  
>> LoginContext.login("my-security-realm",myCallBackHandler) method.  
>> This also works fine, but the authentication is only done with the  
>> ejb container. Tomcat is not informed about the user login. So the  
>> secure pages are still restricted.
> 
> I think the reason this is tricky is that the javaee security model  
> has the container making the authentication and  access decisions in  
> container code that is accessed before the control gets to any user  
> code.
> There is no provision for the user code to either help with container  
> managed authentication or authorization.  So, by the time control  
> gets to the code backing the jsf components, both authentication and  
> authorization should have taken place.
> 
> As a wild and unlikely idea, could some of the JSF component code  
> forward an appropriately munged request to the j_security_check stuff?
> 
> You might try the geronimo-specific ContextManager.login method which  
> will at least engage geronimo's security framework.  I don't think it  
> will work though for repeated requests as I don't see any way for  
> tomcat to recognize that the next request is from the same user.
> 
> It might also be possible to fish around inside tomcat to get the  
> Authenticator and use that instead of ContextManager.login.  Since  
> this is what tomcat does anyway this should install the stuff tomcat  
> uses to track the user.
> 
> It might also be possible to do something elegant in the new and not- 
> in-geronimo-yet jaspi spec.
> 
> Does the jsf spec have anything to say about this?
> 
> thanks
> david jencks
> 
>>
>> Does anybody know a better way of integrating JAAS with JSF with  
>> the purpose of not loosing the JSF navigation features??
>> Thanks in advance!!
>> _____________________________________________________________________
>> Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
>> http://smartsurfer.web.de/?mc=100071&distributionid=000000000066
>>
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/How-to-use-JAAS-with-JSF-%2C-best-practice-tp16137644s134p16304268.html
Sent from the Apache Geronimo - Users mailing list archive at Nabble.com.